Response integration between Forcepoint NGFW and Lumu
Allow all the traffic to the following hosts. These are required for the operation of this integration:
Before you deploy and implement the Lumu Integration, you need to prepare your Forcepoint SMC to ensure the integration works as expected.
1. Go to Menu (Hamburger Icon) > System Tools > Global System Properties.
2. Click on the Change Management Tab and check on Allow to Administration to Approve Their own Changes.
You need to enable SMC API to allow requests from the integration script. Go to your Forcepoint SMC console and follow these steps:
1. Go to Configuration > Network Elements > Servers
2. Right-click on the management server object and click on Properties…
3. Locate yourself on the SD-WAN Manager Console API tab
4. Modify the configuration following these directions:
a. Click on the Enable checkbox
b. You can change the Port Number. Make sure you take note of the configured port
c. Enable TLS encryption by selecting a Server Credentials record
d. Select a Server TLS Cryptographic Suite Set
5. Save the configuration by clicking on the OK button
It’s strongly recommended to create a custom administrator role to be used by the integration to limit the permissions over your Forcepoint deployment to just the required ones. Create a role within your Forcepoint SMC console following these steps:
1. Go to Configuration > Administration > Access Rights > Administrator Roles
2. Right-click on the role list and click on New Administrator Role
3. Fill in the required data. Make sure the following permissions are assigned to the role.
Section | Permission |
Element Rights for Granted Elements | Approve Changes |
Element Rights for Granted Elements | Delete Elements |
Element Rights for Granted Elements | Edit Element Properties |
Element Rights for Granted Elements | View Element Contents |
Action Rights | Create Elements |
Action Rights | Refresh Policies |
Your new role must look as follows:
4. Click on the OK button to save your new role
To create a Forcepoint SMC API account, follow these steps on your Forcepoint SMC console:
1. Go to Configuration > Administration > Access Rights > API Clients
2. Right-click on the Api Clients list and click on New API Client
3. Fill in the API client information.
4. Under the Permissions tab, check the Restricted Permissions option, then select the role created in the previous step
The integration set-up process needs you to collect this information from Lumu portal:
Log in to your Lumu portal and run the following procedures to collect these data.
To collect the Lumu Defender API key, refer to the Defender API document.
To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.
There are 2 environment options to deploy the script, select the one that best fits your current infrastructure.
Whichever alternative you select, you need to first unpack the integration package shared by our Support team.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <app_lumu_root>.
To set up the integration, you need to add and edit two configuration files:
The companies file is in charge of defining how the integration connects to Lumu and extracts the information of the incidents and related indicators of compromise.
-lumu:uuid: "<COMPANY-UUID>"[name: "<COMPANY-NAME>"][contact_name: "<CONTACT_NAME>"][contact_email: "<CONTACT_EMAIL>"]defender_key: "<DEFENDER_API_KEY>"hash_type: "<HASH_ALG>" # sha256 | sha1 | md5ioc_types: # list of ioc types, option one, many or all- ip- domain- url- hashadversary: # list of adversary types, option one, many or all- C2C- Malware- Mining- Spam- Phishingdays: 30 # MIN 1, MAX 30
The integration file contains the information required for the integration to connect and interact with your Forcepoint FMC deployment:
- -
lumu:
uuid: "<COMPANY_UUID>"
days: 10 # INTEGER=(get incidents from X days of the ioc manager local db)
app:
name: "<CLIENT-NAME>" # Name of the headquarters, branch, office, client
clean: false # true # either clean the instance IOC or not
GlobalList: false # true # either append the instance IOC to global list in the same Management Server or not
ioc: # ["ip", "domain", "url"] list of one, many or all ioc types
- ip
- domain
- url
engines: # list of the Engine Names (Case Sensitive) | null (include all Elements related engine)
- "ENGINE-NAME-1"
- "ENGINE-NAME-2"
- "ENGINE-NAME-X"
- ...
commit_strategy: integration-only # STRING Options: all | integration-only | null
api:
url: "<PROTO://IP_HOSTNAME:PORT>"
api_key: "<API-KEY>"
verify_cert: false # true
version: "<API-VERSION>" # e.g NUMBER=(float, int) 7.2 | null
To deploy the integration as script, you need to run the install.sh script inside the integration package.
To run the installation script, locate yourself in the app_lumu_root folder, then execute this line through CLI.
The installation script will set up the Python environment and two different cron jobs.
To use the script, you must locate yourself on the path selected for deployment (<app_lumu_root>). Use the following command to show all options available for the package:
Usage:
Options | Description |
---|---|
-h, --help | show this help message and exit |
--config CONFIG | default: integrations.yml, CONFIG FILE PATH of the companies, follow the nex YML template. |
--ioc-manager-db-path IOC_MANAGER_DB_PATH | default path: ./db.sqlite, PATH where the integration goes to read the Lumu Incidents |
--logging {screen,file} | Logging option (default screen). |
-c, --clean | the flag means Clean all integration and override the yml clean field |
--verbose, -v | Verbosity level. |
--hours HOURS | keep db log record from [x hours], for auto maintenance local db purpose |
To query all the IOC related to Lumu incidents triggered in the last 30 days, run the following command.
By default, the integration script will query incidents related to all adversary types. If you need to filter the query to specific adversary types, you can use the --adversary-types flag as follows
To clean the existing records in Elastic, just set up the clean flag in the integrations.yml file to true.
Then, run the integration script as follows:
Or you can run the clean command directly to clean all the companies
According to your needs, you can combine the examples shown, also, adding the –logging {file, screen} and –verbose argument can be used for better understanding of what can be rolling wrong.
If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <app_lumu_root> folder, and follow these instructions:
1. Build the container by running the following command.
docker build [--build-arg IOC_MAN_CONFIG='companies.yml'] [--build-arg APP_CONFIG='integrations.yml'] --tag python-lumu-forcepoint-smc-response --file DockerfileAllInOne .Do not forget the dot "."2. Run the container by using the following command.
docker run -d --restart unless-stopped --name lumu-forcepoint-smc-response python-lumu-forcepoint-smc-response
With this mode, your integration will run every 30 minutes.
For troubleshooting purposes, you can run the following commands:
To log in to your container using an interactive shell:
To collect integration logs:
After running the integration, you will see new objects under the Configuration section in your Forcepoint SMC. You need to reference these in your policies according to your needs.
To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.
The application logs will be redirected to lumu.log file. The file errors.log stores only the errors to make them easier to find and aid the troubleshooting process.
If you receive the following error.
There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process ID if it’s running.